For the most part Web API 2.0 authorization just work if all want is to apply Authorize attribute with hardcoded roles to the API controller method. Long time ago I put a bit code to get more flexible authorization scheme and also visualize permissions. All of that worked based on custom attribute class derived from AuthorizationAttribute. Recently I decided to secure and visualize my Web API methods and was stumbled when Web API custom attribute didn't work.

It turned out that there there are two AuthorizationAttribute classes - System.Web.Mvc.AuthorizeAttribute and System.Web.Http.AuthorizeAttribute. The first one is for ASP.Net MVC and the second one for Web API. Now I start to see the value of unified controllers and converges of ASP.NET MVC with Web API in ASP.Net Core 1.0. There are only going to be one controller and one Authorize attribute and I won't have to write code like this:

public class PageFeature : System.Web.Mvc.AuthorizeAttribute  
{
    private readonly IAuthorizationProvider _authorizationProvider;

    public PageFeature(string name, IAuthorizationProvider authorizationProvider, params string[] groups)
    {
        _authorizationProvider = authorizationProvider ?? new AuthorizationProvider(groups);
    }

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        return _authorizationProvider.IsAuthorized(httpContext.Request.IsAuthenticated, httpContext.User.IsInRole);
    }
}

public class ApiFeature : System.Web.Http.AuthorizeAttribute  
{
    private readonly IAuthorizationProvider _authorizationProvider;

    public ApiFeature(string name, IAuthorizationProvider authorizationProvider, params string[] groups)
    {
        _authorizationProvider = authorizationProvider ?? new AuthorizationProvider(groups);
    }

    protected override bool IsAuthorized(HttpActionContext actionContext)
    {
        var principal = actionContext.RequestContext.Principal as WindowsPrincipal;
        if (principal == null || principal.Identity == null)
        {
            return false;
        }
        return _authorizationProvider.IsAuthorized(principal.Identity.IsAuthenticated, principal.IsInRole);
    }

    protected override void HandleUnauthorizedRequest(HttpActionContext actionContext)
    {
        var response =
                actionContext.Request.CreateErrorResponse(
                HttpStatusCode.Unauthorized, "unauthorized");

        response.Headers.WwwAuthenticate.Add(new AuthenticationHeaderValue("Bearer", "permission required."));

        actionContext.Response = response;
    }
}

Having two classes derived from two different classes presents some challenges if you want to handle them in generic way (give me features of all types) since you can't have a common base class (only interface).